[WIP] CM4 secure boot support #1095
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
2 times, most recently
from
561f164 to
78d328e
Compare
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
from
e462110 to
f5fc5e8
Compare
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
6 times, most recently
from
7e861ba to
b06c7b9
Compare
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
3 times, most recently
from
86250c6 to
9d2485e
Compare
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
from
9d2485e to
8fab2fb
Compare
6 tasks
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
from
8fab2fb to
7d40a04
Compare
Change-type: minor Signed-off-by: Michal Toman <[email protected]>
Changelog-entry: raspberrypicm4-ioboard: use balena bootloader Signed-off-by: Alex Gonzalez <[email protected]>
…ication Configure the Linux kernel to perform image authentication in kexec. Changelog-entry: Configure balena bootloader's kernel for kexec image authentication Signed-off-by: Alex Gonzalez <[email protected]>
Changelogs-entry: add class for RPI image signing Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: sign boot images if needed Signed-off-by: Alex Gonzalez <[email protected]>
This will be used in provisioning and copied to the SPI EEPROM. Changelog-entry: Deploy RPI public key Signed-off-by: Alex Gonzalez <[email protected]>
This avoid kernel and rootfs mismatches on rollbacks. Changelog-entry: built-in SPI kernel modules for EEPROM update Signed-off-by: Alex Gonzalez <[email protected]>
Adds an os-helper-otp file that contains the shared interface to the OTP. Changelog-entry: add public interface to OTP Signed-off-by: Alex Gonzalez <[email protected]>
This helper file is used to customize HUP and share variables with the flasher script. Changelog-entry: add os-helpers-sb Signed-off-by: Alex Gonzalez <[email protected]>
If secure boot is enabled, enable secure boot support in the EEPROM and prepare a signed SPI EEPROM image. Changelog-entry: Add RPI EEPROM secure boot support Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: add spi eeprom programming tool Signed-off-by: Alex Gonzalez <[email protected]>
Loading modules on demand is problematic in the case of rollbacks, as the running kernel does not match the rolled back root filesystem modules. Replace with building in the SPI support and binding/unbinding the driver when the specific dynamic configuration is changed. Changelog-entry: use built-in SPI drivers for EEPROM access Signed-off-by: Alex Gonzalez <[email protected]>
A secured device cannot have the EEPROM updated using this mechanism. A self-update is needed. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: use os logging functions in update hooks Signed-off-by: Alex Gonzalez <[email protected]>
This allows for the EEPROM to be updated in the hostOS update process. Changelog-entry: Run EEPROM update hook on HUP Signed-off-by: Alex Gonzalez <[email protected]>
Making balena-image-flasher buildable for secure boot use cases. Also, place EEPROM binaries in the boot partition so they can be used in the provisioning process. Changelog-entry: Support flasher image for secure boot use cases. Signed-off-by: Alex Gonzalez <[email protected]>
Include the files with the secureboot and disk encryption interface. Changelog-entry: provide secure boot and disk encryption abstraction Signed-off-by: Alex Gonzalez <[email protected]>
Allow to update the SPI EEPROM from the flasher images as this is required to enable secure boot as part of provisioning. Change-type: patch Signed-off-by: Alex Gonzalez <[email protected]>
Do not fail when trying to load modules from initramfs. Changelog-entry: adapt board init scripts to initramfs Signed-off-by: Alex Gonzalez <[email protected]>
Changelog-entry: specialize cryptsetup module for RPI Signed-off-by: Alex Gonzalez <[email protected]>
The firmware needs to support the OTP's GET_CUSTOMER_PRIVATE_KEY property. Changelog-entry: update raspberrypi firmware to latest Signed-off-by: Alex Gonzalez <[email protected]>
This is used to define the resin-mount recipe. Changelog-entry: define global nonenc boot label for raspberrypi4-64 Signed-off-by: Alex Gonzalez <[email protected]>
Add a mount service for the unencrypted boot partition. Changelog-entry: add mount service for the unencrypted boot partition Signed-off-by: Alex Gonzalez <[email protected]>
Duplicate 1-bootfiles into 2-encbootfiles so that the bootfiles are installed in two passes, one for the non-encrypted boot partition and a second one for the encrypted boot partition. The 1-bootfiles will differentiate based on the script name whether to target the encrypted or non-encrypted partittions for file installation. Changelog-entry: customize hostOS update script for secure boot Signed-off-by: Alex Gonzalez <[email protected]>
Inherit the use of OS_KERNEL_CMDLINE and OS_KERNEL_SECUREBOOT_CMDLINE from balenaOS distro settings. Also, use early console settings for osdev images. Changelog-entry: use distribution's kernel command line variables Signed-off-by: Alex Gonzalez <[email protected]>
Until u-boot is replaced by the balena bootloader we need to place the kernel + initramfs in the unencrypted boot partition so u-boot can find it. Signed-off-by: Alex Gonzalez <[email protected]>
With the definition of SIGN_API the initramfs image has increased. This still fits in the existing partition layout so there is really no other implications. Changelog-entry: adjust initramfs size for RPI4 Signed-off-by: Alex Gonzalez <[email protected]>
This reverts commit 623b754.
alexgg
force-pushed
the
alexgg/bb-signed-images
branch
from
7d40a04 to
393b30f
Compare
|
Superseded by #1117 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.